XTRF system compliance with GDPR

What is GDPR and why should I care?

GDPR stands for General Data Protection Regulation. It is an act of the European Parliament, the Council of the European Union and the European Commission, which aims to improve data protection for all individuals within the European Union by making it well-defined and unified among all the EU member states. The goal is to give control of personal data back to the people.


If you cooperate with partners based in the EU, then you have to take GDPR into consideration when running your business.

Is XTRF system GDPR ready?

XTRF 8 will be fully prepared for GDPR, thus allowing your company to meet the new legal requirements. The provisions of the regulation will be applied by the following functionalities:

  • Collecting and tracking consent from Clients and Vendors for processing of their personal data.

  • Accessing and correcting personal data by Clients and Vendors via the Client Portal and the Vendor Portal.

  • Erasing personal data from the XTRF system upon request by the data owner (Client, Vendor or Employee).

  • Exporting personal data to a structured, commonly used and machine-readable format (CSV).

XTRF 8 will be released in May 2018, before GDPR is enforced.

How XTRF follows Privacy by Design principle?

GDPR encourages organizations to take a ‘privacy by design’ approach, which means that privacy and data protection should be a key consideration of any project, both in its early stages and throughout its lifecycle. In XTRF, the design process plays a crucial role in system development and assuring high quality. Providing privacy and data protection to our clients and to their partners has always been a key priority for us. For this reason, we have included a special phase in the design process to investigate how changes in system behavior may affect the privacy and security of personal data.


We have also defined three design principles strictly focused on GDPR:

  • XTRF system must allow for fulfilment of GDPR requirements, but must not impose a way how they should be fulfilled.

  • XTRF system may simplify the fulfilment of GDPR requirements by delivering functions that facilitate or automate GDPR-related operations, but they should be enabled only when specifically requested by the user.

  • XTRF system may suggest and recommend to the user how to configure the system so that it meets GDPR requirements.

How personal information is protected within XTRF system and infrastructure?

XTRF company acts as a data controller of personal data of XTRF system owners (among them your organization). When using XTRF onCloud service, XTRF company is also a processor of personal data of the XTRF owner's partners. XTRF system owner (your organisation) is a data controller of their partners' personal data.


XTRF implements security procedures to help protect all data stored in XTRF system from security attacks. This applies to both services, XTRF onCloud and XTRF onPremises. Security mechanisms used by XTRF include:

  • Secure password-protected database

  • File system with permission-based access restrictions

  • Secure communication between web browser and server via HTTPS protocol using a certificate signed by a trusted authority

  • Regular off-site backups

Note: If you use XTRF onPremises service, then security of the system partially depends on your internal infrastructure configuration.

What types of personal data can I store in XTRF system?

XTRF system can store personal data of your Clients (Client Contact Persons), Vendors (Vendor Contact Persons) and Users (i.e. your employees). Depending on a person role, a different types of personal data can be provided and stored in their profile in XTRF.

Personal data types that can be stored in XTRF system:

  • Name

  • Gender

  • Billing address

  • Mailing address

  • Phone/fax numbers

  • E-mail addresses

  • Department

  • Position

  • Contact languages, Native languages

  • Social media identifiers

  • Photos

  • Payment methods (bank account data or other payment method identifiers)

  • Tax numbers

  • Contract number

  • HR Data

  • Certificates, CVs, education, work experience etc.

  • Username in other systems

  • Languages, specializations and rates

  • IT Tools

  • Vendor Holidays

We advise against storing other types of personal data (e.g. credit card number) in the XTRF system.

Where can I store personal data in XTRF system?

XTRF system can store personal data of your Clients (Client Contact Persons), Vendors (Vendor Contact Persons) and Users (i.e. your employees). In order to simplify personal data administration (in accordance with GDPR) personal data should be stored only in specific areas and fields in the system. When stored properly, the data are secure and easy to track or erase when necessary. We advise against storing personal data in any other place (e.g. Custom Field).


XTRF system areas where personal data can be safely stored:

  • Client Profile and Contact Person Profile

    • Main Data (Identification Data, Sales Data, Social Media, Billing Address, Mailing Address, Invoicing, System Accounts)

    • Rates

    • Portal Settings

  • Vendor Profile and Contact Person Profile

    • Main Data (Identification Data, Sales Data, Social Media, Billing Address, Mailing Address, Invoicing, IT Tools, System Accounts, Acceptance of Terms)

    • Competencies & Rates

    • Files & Qualifications

    • Holidays

  • System User Profile

    • General Info

    • Social Media

  • Project, Quote, Opportunity

    • Client Name

    • Client Contact Persons

    • Vendor Names

    • Vendor Contact Persons

    • Files (note: files can be archived using a dedicated Archive Project/Quote functionality)

  • Invoice

    • Main Data

    • Client Data

    • Notes

  • CRM (E-mail, Memo, Task, Call, Event)

Erasing personal data from XTRF system upon request by the data owner (Client, Vendor or User)

According to GDPR, a person (data owner) can request to erase their personal data from a data controller's system. Being an XTRF user, you may be requested by your client, vendor or employee to do so. XTRF will help you fulfil the obligation by allowing you to erase the personal data of a client (Client Contact Person), vendor (Vendor Contact Person) or employee from the system, including:

  • Client, Vendor or Employee profile

  • Client or Vendor Contact Person

  • Projects, Quotes, Opportunities

  • CRM

  • History

Additionally, it is be possible to archive Projects and Quotes, which moves all associated files (including those containing personal data) to an external location, where they can be safely deleted. Read more about archiving Projects and Quotes.


Note: Invoices are a special case, because they are often required by the legal regulations to be stored for a longer period of time. XTRF allows erasing Invoices independently from personal data upon request by the data owner.


XTRF system can occasionally store some data (including personal data) internally for technical reasons (caches, logs etc.). All of these files are temporary and cleaned regularly, so any personal data are securely erased therefrom.


Read more about erasing personal data from XTRF.

Collecting and tracking consents from Clients and Vendors for processing their personal data

GDPR requires a data controller to obtain consent from the owner for the processing of their personal data. Every consent needs to be:

  • Unbundled

  • Active opt-in

  • Granular

  • Named

  • Easy to withdraw

XTRF will offer a set of features that can help collect and track consent from clients and vendors for the processing of their personal data, while ensuring that GDPR requirements are met:

  • Clients and vendors are presented with a list of mandatory and optional conditions of consent when they register to the Client or Vendor Portals or when the terms of any consent are updated and require re-approval.

  • Clients and Vendors can view and edit a list of consent conditions via the Client or Vendor Portals (including withdrawal).

  • A Data Administrator (user who has the role of Data Protection Officer) can manage a list of consent types from Clients or Vendors. Some forms of consent can be optional. The list can be updated when necessary.

  • A Data Administrator can manage a list of client and vendor consent conditions, and update them on their behalf when necessary.

  • Some actions in XTRF system can be consent-conditional, i.e. their execution depends on whether a specific person gave consent to a specific action (including specific use of their personal data).

Read more about consent management in XTRF.

Exporting personal data to a structured, commonly used and machine-readable format (CSV)

Personal data needs to be portable according to GDPR. This means it should be possible to export them to a structured, commonly used and machine-readable format upon request by the data owner.

XTRF Smart Views (which are used, among other things, to display lists of Vendors, Clients and their Contact Persons) offer an export function that can be used to satisfy the GDPR requirements. You can select one or more persons and export their data into the CSV file format.

More information

The information presented in this article refers to XTRF system functionality and focuses on how it can help fulfil the GDPR requirements. XTRF company responsibility is, however, limited to the role of data processor. As a data controller, you need to ensure that your company procedures are also compliant with GDPR. Although XTRF system will guide you through GDPR by recommending good practices in some moments, the final responsibility for protecting and processing personal data of your partners is on your side. We advise you to consult your lawyer to ensure your company conforms to all GDPR provisions and local regulations.

GDPR XTRF 8

This article was helpful for 11 people. Is this article helpful for you?